ssl incorrect certificate order causes error
liamwhite opened this issue · 3 comments
Describe the bug
Wix websites present an incorrectly ordered certificate chain which the ssl
module cannot verify - however this issue is not present in any web browsers, or openssl s_client as they can verify the certificate just fine.
To Reproduce
1> ssl:start(), ssl:connect("images-wixmp-ed30a86b8c4ca887773594c2.wixmp.com", 443, [{verify, verify_peer},
{cacerts, public_key:cacerts_get()}]).
=NOTICE REPORT==== 20-Jun-2024::12:34:45.816504 ===
TLS client: In state wait_cert_cr at ssl_handshake.erl:2162 generated CLIENT ALERT: Fatal - Bad Certificate
{error,{tls_alert,{bad_certificate,"TLS client: In state wait_cert_cr at ssl_handshake.erl:2162 generated CLIENT ALERT: Fatal - Bad Certificate\n"}}}
Expected behavior
The connection should be successful
openssl s_client images-wixmp-ed30a86b8c4ca887773594c2.wixmp.com:443
retuns:
depth=2 C = US, ST = New Jersey, L = Jersey City, O = The USERTRUST Network, CN = USERTrust RSA Certification Authority
verify return:1
depth=1 C = GB, ST = Greater Manchester, L = Salford, O = Sectigo Limited, CN = Sectigo RSA Domain Validation Secure Server CA
verify return:1
depth=0 CN = *.wixmp.com
verify return:1
...
Verify return code: 0 (ok)
Affected versions
OTP 27
The reason is that you need to configure sha1 to be an allowed signature algorithm for certs. See discussion in #8588
In this example I included the best way of doing it.
ssl:connect("images-wixmp-ed30a86b8c4ca887773594c2.wixmp.com", 443, [{customize_hostname_check, [{match_fun, public_key:pkix_verify_hostname_match_fun(https)}]}, {signature_algs_cert, ssl:signature_algs(default, 'tlsv1.3') ++ [{sha, rsa}]}, {cacerts, public_key:cacerts_get()}]).
{ok,{sslsocket,{gen_tcp,#Port<0.10>,tls_connection,
undefined},
[<0.154.0>,<0.153.0>]}}
Note that you also need to customize the hostname check for this site, which you will discover once you allow {sha, rsa} or
it will work equally well using rsa_pkcs1_sha1
which is the TLS-1.3 name for this legacy algorithm only allowed for certificate signatures in TLS-1.3.